A framework for IPSec functional architecture.

In today\u27s network, various stand-alone security services and/or proxies are used to provide different security services. These individual security systems implementing one single security function cannot address security needs of evolving networks that require secure protocol such as IPSec. In this paper, we provide a framework for implementing IPSec security functions in a well structured functional architecture. The proposed architecture is modular and allows for composing software applications from products commercially available and developed by different suppliers to implement the entire security requirements of IPSec protocol. In addition the proposed architecture is robust in the sense that it supports open standards and interfaces, and implements security functions of IPSec as an integrated solution under a unified security management system.Dept. of Electrical and Computer Engineering. Paper copy at Leddy Library: Theses & Major Papers - Basement, West Bldg. / Call Number: Thesis2005 .F34. Source: Masters Abstracts International, Volume: 44-03, page: 1451. Thesis (M.Sc.)--University of Windsor (Canada), 2005

Unicast UDP Usage Guidelines for Application Designers

Publisher PD

Enabling Intrusion Detection in IPSEC Protected IPV6 Networks through Secret-Key Sharing

As the Internet Protocol version 6 (IPv6) implementation becomes more widespread, the IP Security (IPSec) features embedded into the next-generation protocol will become more accessible than ever. Though the network-layer encryption provided by IPSec is a boon to data security, its use renders standard network intrusion detection systems (NIDS) useless. The problem of performing intrusion detection on encrypted traffic has been addressed by differing means with each technique requiring one or more static secret keys to be shared with the NIDS beforehand. The problem with this approach is static keying is much less secure than dynamic key generation through the Internet Key Exchange (IKE) protocol. This research creates and evaluates a secret-key sharing framework which allows both the added security of dynamic IPSec key generation through IKE, and intrusion detection capability for a NIDS on the network. Analysis shows that network traffic related to secret-key sharing with the proposed framework can account for up to 58.6% of total traffic in the worst case scenario, though workloads which are arguably more average decrease that traffic to 10-15%. Additionally, actions associated with IKE and secret-key sharing increase CPU utilization on the NIDS up to 20.7%. Results show, at least in limited implementations, a secret-key sharing framework provides robust coverage and is a viable intrusion detection option

Vulnerability Analysis of the Player Command and Control Protocol

The Player project is an open-source effort providing a control interface specification and software framework for abstracting robot hardware. This research presents five exploits that compromise vulnerabilities in Player\u27s command and control protocol. The attacks exploit weaknesses in the ARP, IP, TCP and Player protocols to compromise the confidentially, integrity, and availability of communication between a Player client and server. The attacks assume a laptop is connected in promiscuous mode to the same Ethernet hub as the client and server in order to sniff all network traffic between them. This work also demonstrates that Internet Protocol Security (IPsec) is capable of mitigating the vulnerabilities discovered in Player\u27s command and control protocol. Experimental results show that all five exploits are successful when Player communication is unprotected but are defeated when IPsec Authentication Header (AH) and Encapsulating Security Protocol (ESP) are deployed together (AH+ESP) in transport mode. A cost function is defined to synthesize three distinct scalar costs (exploit success, CPU utilization, and network load) into a single scalar output that can be used to compare the different defense protocols provided by IPsec. Results from this cost function show that in a scenario when exploits are likely, IPsec AH+ESP is the preferred defense protocol because of its relatively low CPU and network overhead and ability to defeat the exploits implemented in this research by authenticating and encrypting the transport and application layers. Performance data reveals that for the Overo Earth embedded system running a TI OMAP3530 processor at 720MHz, IPsec AH+ESP increases CPU utilization by 0.52% and the network load by 22.9Kbps (64.3% increase)

Wireless backhaul in future cellular communication

Abstract. In 5G technology, huge number of connected devices are needed to be considered where the expected throughput is also very ambitious. Capacity is needed and thus used frequencies are expected to get higher (above 6 GHz even up to 80 GHz), the Cell size getting smaller and number of cells arising significantly. Therefore, it is expected that wireless backhaul will be one option for Network operators to deliver capacity and coverage for high subscriber density areas with reduced cost. Wireless backhaul optimization, performance and scalability will be on the critical path on such cellular system. This master’s thesis work includes connecting a base station by using the wireless backhaul by introducing a VPN in the proposed network. We find the bottleneck and its solution. The network is using 3.5 GHz wireless link instead of LAN wire for backhaul link between the EnodeB and the core network (OpenEPC). LTE TDD band 42 acting as a Wireless Backhaul (Link between EnodeB and Band 42 CPE Router). The status and attachment procedure are observed from different nodes of the openEPC and from the VPN machine. Step by step we have established a tunnel between the CPE device and the VPN server using PPTP and L2TP with IPSec tunneling protocol. The progression towards the final implementation brings in step by step all difficulties and bottlenecks are documented in the study

Building mobile L2TP/IPsec tunnels

Wireless networks introduce a whole range of challenges to the traditional TCP/IP network, especially Virtual Private Network (VPN). Changing IP address is a difficult issue for VPNs in wireless networks because IP addresses are used as one of the identifiers of a VPN connection and the change of IP addresses will break the original connection. The current solution to this problem is to run VPN tunnels over Mobile IP (MIP). However, Mobile IP itself has significant problems in performance and security and that solution is inefficient due to double tunneling. This thesis proposes and implements a new and novel solution on simulators and real devices to solve the mobility problem in a VPN. The new solution adds mobility support to existing L2TP/IPsec (Layer 2 Tunneling Protocol/IP Security) tunnels. The new solution tunnels Layer 2 packets between VPN clients and a VPN server without using Mobile IP, without incurring tunnel-re-establishment at handoff, without losing packets during handoff, achieves better security than current mobility solutions for VPN, and supports fast handoff in IPv4 networks. Experimental results on a VMware simulation showed the handoff time for the VPN tunnel to be 0.08 seconds, much better than the current method which requires a new tunnel establishment at a cost of 1.56 seconds. Experimental results with a real network of computers showed the handoff time for the VPN tunnel to be 4.8 seconds. This delay was mainly caused by getting an IP address from DHCP servers via wireless access points (4.6 seconds). The time for VPN negotiation was only 0.2 seconds. The experimental result proves that the proposed mobility solution greatly reduces the VPN negotiation time but getting an IP address from DHCP servers is a large delay which obstructs the real world application. This problem can be solved by introducing fast DHCP or supplying an IP address from a new wireless access point with a strong signal while the current Internet connection is weak. Currently, there is little work on fast DHCP and this may open a range of new research opportunities

Novel security mechanisms for wireless sensor networks

Wireless Sensor Networks (WSNs) are used for critical applications such as health care, traffic management or plant automation. Thus, we depend on their availability, and reliable, resilient and accurate operation. It is therefore essential that these systems are protected against attackers who may intend to interfere with operations. Existing security mechanisms cannot always be directly transferred to the application domain of WSNs, and in some cases even novel methods are desirable to give increased protection to these systems. The aim of the work presented in this thesis is to augment security of WSNs by devising novel mechanisms and protocols. In particular, it contributes to areas which require protection mechanisms but have not yet received much attention from the research community. For example, the work addresses the issue of secure storage of data on sensor nodes using cryptographic methods. Although cryptography is needed for basic protection, it cannot always secure the sensor nodes as the keys might be compromised and key management becomes more challenging as the number of deployed sensor nodes increases. Therefore, the work includes mechanisms for node identification and tamper detection by means other than pure cryptography. The three core contributions of this thesis are (i) Methods for confidential data storage on WSN nodes. In particular, fast and energy-efficient data storage and retrieval while maintaining the required protection level is addressed. A framework is presented that provides confidential data storage in WSNs with minimal impact on sensor node operation and performance. This framework is further advanced by combining it with secure communication in WSNs. With this framework, data is stored securely on the flash file system such that it can be directly used for secure transmission, which removes the duplication of security operations on the sensor node. (ii) Methods for node identification based on clock skew. Here, unique clock drift patterns of nodes, which are normally a problem for wireless network operation, are used for non-cryptographic node identification. Clock skew has been previously used for device identification, requiring timestamps to be distributed over the network, but this is impractical in duty-cycled WSNs. To overcome this problem, clock skew is measured locally on the node using precise local clocks. (iii) Methods for tamper detection and node identification based on Channel State Information (CSI). Characteristics of a wireless channel at the receiver are analysed using the CSI of incoming packets to identify the transmitter and to detect tampering on it. If an attacker tampers with the transmitter, it will have an effect on the CSI measured at the receiver. However, tamper-unrelated events, such as walking in the communication environment, also affect CSI values and cause false alarms. This thesis demonstrates that false alarms can be eliminated by analysing the CSI value of a transmitted packet at multiple receivers

Securing media streams in an Asterisk-based environment and evaluating the resulting performance cost

When adding Confidentiality, Integrity and Availability (CIA) to a multi-user VoIP (Voice over IP) system, performance and quality are at risk. The aim of this study is twofold. Firstly, it describes current methods suitable to secure voice streams within a VoIP system and make them available in an Asterisk-based VoIP environment. (Asterisk is a well established, open-source, TDM/VoIP PBX.) Secondly, this study evaluates the performance cost incurred after implementing each security method within the Asterisk-based system, using a special testbed suite, named DRAPA, which was developed expressly for this study. The three security methods implemented and studied were IPSec (Internet Protocol Security), SRTP (Secure Real-time Transport Protocol), and SIAX2 (Secure Inter-Asterisk eXchange 2 protocol). From the experiments, it was found that bandwidth and CPU usage were significantly affected by the addition of CIA. In ranking the three security methods in terms of these two resources, it was found that SRTP incurs the least bandwidth overhead, followed by SIAX2 and then IPSec. Where CPU utilisation is concerned, it was found that SIAX2 incurs the least overhead, followed by IPSec, and then SRTP